Re: [openstack-dev] [panko][ceilometer][keystone] Support X-Is-Admin-Project

2017-09-08 Thread Innus, Martins 
Gord,

Thanks for the reply.

On Sep 7, 2017, at 4:15 PM, gordon chung > 
wrote:



On 2017-09-07 02:15 PM, Innus, Martins wrote:
The fix seems to be something like the attached patch and setting the 
appropriate configs in keystone.conf.


One curious thing is that with the default keystone config, requests from all 
projects have "X-Is-Admin-Project: True”

If I set admin_project_domain_name and admin_project_name , only then do the 
non admin projects have the header set to False.

apologies, do you have more details on what 'X-Is-Admin-Project' is? i'm
not familiar with this header.


As far as I can tell its meant for designating an overall cloud admin account. 
Reference to creation of the keystone config options:

https://review.openstack.org/#/c/240719/

Where the HEAT team seems to have used it for the same purpose, but by making 
changes in the policy.json:

https://review.openstack.org/#/c/316627/

But in my limited understating of how Panko works, using the header seems to be 
the easiest way to get this functionality:

https://github.com/openstack/keystonemiddleware/commit/0562670d4e56c257aec8db5a2bb651b5e59fddb2


currently, the behaviour is that:
- a member of a project can only see its own events
- an admin of a project can see all the events of a project (and any
events without any project associated with it)

if this is the way of denoting a user is a 'super-admin' that has access
to all events, i'm ok with it.


Yeah, thats what I’m going for, but as I said, I’ve barely stared to scratch 
the surface of OpenStack, so there way be a better way of doing this.

Thanks

Martins

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [panko][ceilometer][keystone] Support X-Is-Admin-Project

2017-09-07 Thread gordon chung 


On 2017-09-07 02:15 PM, Innus, Martins wrote:
> The fix seems to be something like the attached patch and setting the 
> appropriate configs in keystone.conf.
> 
> 
> One curious thing is that with the default keystone config, requests from all 
> projects have "X-Is-Admin-Project: True”
> 
> If I set admin_project_domain_name and admin_project_name , only then do the 
> non admin projects have the header set to False.

apologies, do you have more details on what 'X-Is-Admin-Project' is? i'm 
not familiar with this header.

currently, the behaviour is that:
- a member of a project can only see its own events
- an admin of a project can see all the events of a project (and any 
events without any project associated with it)

if this is the way of denoting a user is a 'super-admin' that has access 
to all events, i'm ok with it.

cheers,

-- 
gord
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [panko][ceilometer][keystone] Support X-Is-Admin-Project

2017-09-07 Thread Innus, Martins 
Hi,
Just getting started with OpenStack and one of the stumbling blocks so 
far is that unless I missed it, there is no way for the main admin user to 
request event data for all projects:

[root@srv-m10-05-02 keystone]# ceilometer event-list -q 
'event_type=compute.instance.create.start'
+++---++
| Message ID | Event Type | Generated | Traits |
+++---++
+++---++



Where there are definitely instances running and the user that created them has 
no issue seeing the events:

[minnus@srv-m10-05-02 ~]$ ceilometer  event-list -q 
'event_type=compute.instance.create.start' --limit 1
+--+---++---+
| Message ID   | Event Type| 
Generated  | Traits 
   |
+--+---++---+
| b7ce7652-9745-487d-9fcc-570c7c972080 | compute.instance.create.start | 
2017-08-29T15:37:39.707727 | 
+--+-+--+ |
|  |   |
| |   name   |   type  |  value

……


The fix seems to be something like the attached patch and setting the 
appropriate configs in keystone.conf.


One curious thing is that with the default keystone config, requests from all 
projects have "X-Is-Admin-Project: True”

If I set admin_project_domain_name and admin_project_name , only then do the 
non admin projects have the header set to False.

This is on:
 - Centos 7.3
 - Ocata
 - Panko backed by MariaDB.

Is this change something that would be accepted?

Thanks!

Martins



panko.patch
Description: panko.patch
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev